Challenges)in)Cloud)) Compu0ng)Security)...Challenges)in)Cloud)) Compu0ng)Security)!!!!...

Challenges)in)Cloud))Compu0ng)Security)

!!!!

Carlos)B.)Westphall,)Carla)M.)Westphall,)Rafael)Weingärtner,)Daniel)R.)dos)Santos,)Paulo)F.)da)Silva,)

Pedro)A.)F.)ViD,)Kleber)M.)M.)Vieira))!

Networks)and)Management)Laboratory)Federal)University)of)Santa)Catarina)

NOVEMBER)16TH,)LISBON,)PORTUGAL) IARIA)NetWare)2014)W)TUTORIAL)2) 1!

Summary!

)  Cloud!Compu/ng!Security!Monitoring!!)  Federated! Iden/ty! to! Cloud! Environment!Using!Shibboleth!

)  A! Vision! of! Privacy! on! Iden/ty! Management!Systems!!

)  Risk)based! Access! Control! Architecture! for!Cloud!Compu/ng!

)  RAClouds!–!Risk!Analysis!for!Clouds!

!!!!

NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 2!

Cloud!Compu/ng!!Security!Monitoring!!

NOVEMBER!16TH,!LISBON,!PORTUGAL! 3!IARIA!NetWare!2014!)!TUTORIAL!2!

Outline!

1.  INTRODUCTION!!2.  RELATED!WORKS!3.  SECURITY!CONCERNS!IN!CLOUD!COMPUTING!4.  CLOUD!MONITORING!5.  SECURITY!CONCERNS!IN!SLA!6.  CLOUD!SECURITY!MONITORING!7.  CASE!STUDY!

!!!!


Outline!

8.!KEY!LESSONS!LEARNED!9.!CONCLUSIONS!AND!FUTURE!WORKS!10.!SOME!REFERENCES!


1.!INTRODUCTION!

)! Numerous! threats! and! vulnerabili/es! that!become! more! important! as! the! use! of! the!cloud! increases,! as! well! as,! concerns! with!stored!data!and! its!availability,!confiden/ality!and!integrity.!!

)!Need!for!monitoring!tools!and!services,!which!provide!a!way!for!administrators!to!define!and!evaluate!security!metrics!for!their!systems.!!


1.!INTRODUCTION!

)  We! propose! a! cloud! compu/ng! security!monitoring! tool! based! on! our! previous!works! on! both! security! and! management!for!cloud!compu/ng.!

)  Features! of! cloud! compu/ng! such! as!virtualiza/on,!mul/)tenancy!and!ubiquitous!access! provide! a! viable! solu/on! to! service!provisioning!problems.!!


1.!INTRODUCTION!

)  What! are! the! new! risks! associated! with! the!cloud! and! what! other! risks! become! more!cri/cal?!

)  We! provide! some! background! in! security!concerns! in! cloud!compu/ng,!briefly!describe!a! previous! implementa/on! of! a! monitoring!tool! for! the! cloud,! show! how! security!informa/on! can! be! summarized! and! treated!under!a!management!perspec/ve.!


2.!RELATED!WORKS!

)  Uriarte! and! Westphall! [4]! proposed! a!monitoring! architecture! devised! for! private!Cloud! that! considers! the! knowledge!requirements!of!autonomic!systems.!!

)  Fernades!et!al.![5]!surveys!the!works!on!cloud!security! issues,! addressesing! key! topics:!vulnerabili/es,! threats,! and! aeacks,! and!proposes!a!taxonomy!for!their!classifica/on.!!


2.!RELATED!WORKS!

)  Cloud!Security!Alliance![6]!has!iden/fied!the!top!nine!cloud!compu/ng!threats.!The!report!shows!a!consensus!among!industry!experts.!!

)  Mukhtarov! et! al.! [7]! proposed! a! cloud!network!security!monitoring,!which! is!based!on! flow! measurements! and! implements! an!algorithm! that! detects! and! responds! to!network!anomalies.!


!3.!SECURITY!CONCERNS!IN!CLOUDS!

!!)  Each!cloud! technology!presents! some!kind!of!known! vulnerability:! Web! Services,! Service!Oriented!Architecture!(SOA),!Representa/onal!State! Transfer! (REST)! and! Applica/on!Programming! Interfaces! (API),! virtualizarion,!network!infrastructure...![8].!

)  The! usual! three! basic! issues! of! security:!availability,! integrity! and! confiden/ality! are!s/ll!fundamental!in!the!cloud.!!



!!)  Mul/)tenant! characteris/c:! one! single!vulnerable! service! in! a! virtual! machine,!exploita/on! of! many! services! hosted! in! the!same!physical!machine.!

)  Web! appl ica/ons! and! web! services:!suscep/ble!to!a! lot!of!easily!deployed!aeacks!such! as! SQL! injec/on,! Cross)Site! Scrip/ng!(XSS),! Cross)Site! Request! Forgery! (CSRF)! and!session!hijacking.!



!!)  Another! important! topic! in! cloud! security! is!Iden/ty! and! Access! Management,! because! now!data! owners! and! data! providers! are! not! in! the!same!trusted!domain![9].!!

)  The!main! security!management! issues! of! a! Cloud!Serv ice! Prov ider! (CSP)! are:! ava i lab i l i ty!management,! access! control! management,!vulnerability! management,! patch! and! configu)!ra/on! management,! countermeasures,! and! cloud!usage!and!access!monitoring![10].!



!!)  The!cloud!is!an!easy!target!for!an!intruder!trying!to!use!its!abundant!resources!maliciously,!and!the!IDS!also! has! to! be! distributed,! to! be! able! to!monitor!each!node![11].!

)  Distributed! Denial! of! Service! (DDoS)! aeacks! can!have! a! much! broader! impact! on! the! cloud,! since!now! many! services! may! be! hosted! in! the! same!machine.! DDoS! is! a! problem! that! is! s/ll! not! very!well!handled.!



!!)  To! maintain! data! security! a! provider! must!include,! at! least:! an! encryp/on! schema,! an!access!control!system,!and!a!backup!plan![12].!

)  When!moving!to!the!cloud!it!is!important!that!a!prospec/ve!customer!knows!to!what!risks!its!data! are! being! exposed.! Some! of! the! key!points! considered! in! this! migra/on! are!presented!in![13,!20,!and!21].!



!!)  Legal! compliance! is! fundamental! when!dealing! with! cloud! compu/ng.! In! the! cloud!world,! it! is! possible! that! data! cross! many!jurisdic/on!borders.!!

)  Availability!and!confiden/ality!are! cri/cal! to!the! telecommunica/ons! business! and! if!services!are!being!deployed!in!a!public!cloud!without!a!proper!SLA![15].!


!4.!CLOUD!MONITORING!!

!!)  Our! team! has! previously! proposed! and!implemented! an! open)source! cloud!monitoring! architecture! and! tool! called! the!Private!Cloud!Monitoring! System! (PCMONS)![14].!

)  The! architecture! of! the! system! is! divided! in!three! layers:! Infrastructure;! Integra/on;!and!view.!


!4.!CLOUD!MONITORING!!

!!


!5.!SECURITY!CONCERNS!IN!SLA!!!

!!


)  Providers!must!have!ways!to!ensure!their!clients!that!their!data!is!safe!and!must!do!so!by!monitoring!and!enhancing!security!metrics.!

)  SLAs!may!also!be!used! in! the!defini/on,!monitoring! and! evalua/on! of! security!metrics,! in! the! form!of! Security! SLAs,!or!Sec)SLAs![15].!

!6.!CLOUD!SECURITY!MONITORING!!

!!)  We! now! propose! an! extension! to! the!PCMONS! architecture! and! tool! to! enable!security!monitoring!for!cloud!compu/ng.!!

)  We! also! present! the! security!metrics!which!we! consider!adequate! to!be!monitored! in!a!cloud! infrastructure! and! which! provide! a!good! picture! of! security! as! a! whole! in! this!environment.!



!!)  The! tool! uses! data! and! logs! gathered! from!security! somware! available! in! the! monitored!systems,!such!as!IDSs,!an/)malware!somware,!file! system! integrity! verifica/on! somware,!backup! somware,! and! web! applica/on!firewalls.!

)  The! en//es! involved! in! the! defini/on,!configura/on! and! administra/on! of! the!security!SLAs!and!metrics!are:!



!!)  Cloud! users;! Cloud! administrators;! and!Security!applica/ons.!

)  Data!Security!Metrics,!Access!Control!Metrics!and! Server! Security! Metrics! are! shown! in!Table!I,!Table!II,!and!Table!III,!respec/vely.!

)  If!a!virtual!machine!has!had!a!huge!number!of!failed! access! aeempts! in! the! last! hours! we!may!want!to!lock!any!further!access.!



!!

Metric)) Descrip0on))

Encrypted!Data?!! Indicates!whether!the!data!stored!in!the!VM!is!encrypted!!

Encryp/on!Algorithm!! The!algorithm!used!in!the!encryp/on/decryp/on!process!!

Last!backup!! The!date!and!/me!when!the!last!backup!was!performed!!

Last!integrity!check!! The!date!and!/me!when!the!last!file!system!integrity!check!was!performed!!


TABLE!I.!DATA!SECURITY!METRICS!!!


!!


Valid!Accesses!! The!number!of!valid!access!aeempts!in!the!last!24!hours!!

Failed!access!aeempts!!! The!number!of!failed!access!aeempts!in!the!last!24!hours!!

Password!change!interval!! The!frequency!with!which!users!must!change!passwords!in!the!VM’s!opera/ng!system!!


TABLE!II.!ACCESS!CONTROL!METRICS!!!!


!!


Malware!! Number!of!malware!detected!in!the!last!an/)malware!scan!!

Last!malware!scan!! The!date!and!/me!of!the!last!malware!scan!in!the!VM!!

Vulnerabili/es!! Number!of!vulnerabili/es!found!in!the!last!scan!!

Last!vulnerability!scan!! The!date!and!/me!of!the!last!vulnerability!scan!in!the!VM!!

Availability!! Percentage!of!the!/me!in!which!the!VM!is!online!!


TABLE!III.!SERVER!SECURITY!METRICS!!

!7.!CASE!STUDY!

!!)  We!have! implemented!the!metrics!presented!in!Tables!I)III!and!gathered!the!data!generated!in!a!case!study.!

)  The! following! somware! were! used! to! gather!the! secur i t y! i n fo rma/on :! dm)c ryp t!(encryp/on),! rsync! (backup),! tripwire!(filesystem! integrity),! ssh! (remote! access),!clamAV! (an/)malware),! /ger! (vulnerability!assessment)!and!up/me!(availability).!


!7.!CASE!STUDY!

!!


!7.!CASE!STUDY!

!!)  It! represents! how! the! metrics! are! shown! in!Nagios!and!it!is!possible!to!see!the!vision!that!a! network! administrator! has! of! a! single!machine.!!

)  The!metrics!HTTP!CONNECTIONS,!LOAD,!PING,!RAM!and!SSH!are!from!the!previous!version!of!PCMONS! and! are! not! strictly! related! to!security,!but!they!are!show!combined.!


!8.!KEY!LESSONS!LEARNED!!

!!)  The!tool!helps!network!and!security!administrator!perceive! viola/ons! to! Sec)SLAs! and! ac/vely!respond!to!threats.!

)  The! major! piece! of! technology! used! to! provide!security!in!the!cloud!is!cryptography.!

)  Data! leakage! and! data! loss! are! possibly! the!greatest!concerns!of!cloud!users.!

)  Backup!and!recovery!are!also!fundamental!tools!to!ensure!the!availability!of!customer!data.!!



!!)  SLAs! are! fundamental! to! provide! customers!with!the!needed!guarantees.!

)  Defini/on!of!requirements!and!the!monitoring!of!security!metrics!remain!an!important!open!research!topic.!!

)  The!major!decisions!in!this!work!were!related!to!the!security!metrics!and!the!somware!used!to!provide!the!necessary!security!data.!



!!)  The! idea! of! analyzing! logs! to! obtain! security!data! is! classical! in! informa/on!security!and! it!seemed! like! a! natural! approach! to! our!challenges.!

)  To!read,!parse!and!present!the!data!we!chose!to! use! the! Python! programming! language!because! it! already! formed! the! base! of!PCMONS!(Private!Cloud!Monitoring!System).!



!!)  Sepng!up!a!reliable!tes/ng!environment!was!also!extremely! important! to! the! success! of! the!project.!

)  An! important! feature! of! this! extension! of!PCMONS! is! that! it! can! run! over! OpenNebula,!OpenStack!and!CloudStack.!!

)  The! use! of! scrip/ng! languages! in! the!development! process,! such! as! Python! and! Bash!Script!allowed!us!to!define!the!metrics.!


!9.!CONCLUSION!AND!FUTURE!WORK!!!

!!This!work!described:!!)! A! few! of! our! previous! works! in! the! field! of!Cloud! Compu/ng! and! how! to! bring! them! all!together! in! order! to! develop! a! cloud! security!monitoring!architecture;!and!)! The! design! and! implementa/on! of! a! cloud!security!monitoring!tool,!and!how! it!can!gather!data!from!many!security!sources!inside!VMs!and!the!network.!NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 33!

!9.!CONCLUSION!AND!FUTURE!WORK!!!

!!As!future!work:!)  We! can! point! to! the! defini/on! and! imple)!menta/on! of! new! metrics! and! a! beeer!integra/on!with!exis/ng!Security!SLAs;!and!

)  It!would!be!important!to!study!the!integra/on!of! the! security! monitoring! model! with! other!ac/ve!research!fields!in!cloud!security,!such!as!Iden/ty! and! Access! Management! and!Intrusion!Detec/on!Systems.!


10.!REFERENCES!!

References!indicated!in!this!presenta/on:!)  [4]! R.! B.! Uriarte! and! C.! B.!Westphall,! “Panoptes:! A!monitoring! architecture! and! framework! for!suppor/ng! autonomic! clouds,”! in! IEEE! Network!Opera/ons!and!Management!Symposium,!2014.!

)  [5]! D.! Fernandes! et! al.,! “Security! issues! in! cloud!environments:! a! survey,”! Interna/onal! Journal! of!Informa/on!Security,!2014.!


10.!REFERENCES!!

References!indicated!in!this!presenta/on:!)  [6]!T.!T.!W.!Group!et!al.,!“The!notorious!nine:!cloud!compu/ng! top! threats! in! 2013,”! Cloud! Security!Alliance,!2013.!

)  [7]! M.! Mukhtarov! et! al.,! “Cloud! network! security!monitoring! and! response! system,”! CLOUD!COMPUTING! 2012! (The! Third! Interna/onal!Conference! on! Cloud! Compu/ng,! GRIDs,! and!Virtualiza/on).!


10.!REFERENCES!!

References!indicated!in!this!presenta/on:!)  [8]! B.! Grobauer,! et! al.,! “Understanding! cloud!compu/ng! vulnerabili/es,”! Security! Privacy,! IEEE,!vol.!9,!no.!2,!March)April!2011.!

)  [9]!X.!Tan!and!B.!Ai,!“The! issues!of!cloud!compu/ng!security! in! high)speed! railway,”! in! Electronic! and!Mechanical!Engineering!and!Informa/on!Technology!(EMEIT),! 2011! Interna/onal! Conference! on,! vol.! 8,!2011.!


10.!REFERENCES!!

References!indicated!in!this!presenta/on:!)  [10]!F.!Sabahi,!“Cloud!compu/ng!security!threats!and!responses,”! in! Communica/on! Somware! and!Networks!(ICCSN),!IEEE!3rd!Interna/onal!Conference!on,!2011.!

)  [11]!K.!Vieira,!et!al.,!“Intrusion!detec/on!for!grid!and!cloud!compu/ng,”!IEEE!IT!Professional,!vol.!12,!no.!4,!2010.!


10.!REFERENCES!!

References!indicated!in!this!presenta/on:!)  [12]!L.!Kaufman,!“Data!security!in!the!world!of!cloud!compu/ng,”! Security! Privacy,! IEEE,! vol.! 7,! no.! 4,!2009.!

)  [13]!S.!Chaves!et!al.,!“Customer!security!concerns!in!cloud! compu/ng,”! in! ICN,! The! Tenth! Inter)! na/onal!Conference!on!Networks,!2011.!


10.!REFERENCES!!

References!indicated!in!this!presenta/on:!)  [14]!S.!A.!Chaves,!R.!B.!Uriarte,!and!C.!B.!Westphall,!“Toward! an! architecture! for! monitoring! private!clouds,,”!Communica/ons!Magazine,!IEEE,!vol.!49,!n.!12,!2011.!

)  [15]!S.!A.!Chaves,!C.!B.!Westphall,!and!F.!Lamin,!“Sla!perspec/ve! in! security! management! for! cloud!compu/ng,”!in!Networking!and!Services!(ICNS),!2010!Sixth!Interna/onal!Conference!on,!2010.!


10.!REFERENCES!!

References!indicated!in!this!presenta/on:!)  [20]! D.! R.! dos! Santos,! C.! M.! Westphall,! and! C.! B.!Westphall,! “A! dynamic! risk)based! access! control!architecture! for! cloud! compu/ng,”! in! IEEE! Network!Opera/ons! and! Management! Symposium! (NOMS),!2014.!

)  [21]!P.!F.!SIlva!et!al.,!“An!architecture!for!risk!analysis!in! cloud,”! in! ICNS,! The! Tenth! Interna/onal!Conference!on!Networking!and!Services,!2014.!


Federated!Iden/ty!to!Cloud!Environment!Using!Shibboleth!


Content)at)a)Glance)•  Introduc/on!and!Related!Works!•  Cloud!Compu/ng!•  Iden/ty!Management!•  Shibboleth!•  Federated!Mul/)Tenancy!Authoriza/on!System!on!Cloud!– Scenario!–  Implementa/on!of!the!Proposed!Scenario!– Analysis!and!Test!Results!within!Scenario!

•  Conclusions!and!Future!Works!


Introduc/on!•  Cloud!compu/ng!systems:!reduced!upfront!investment,! expected! performance,! high!availability,! infinite! scalability,! fault)tolerance.!•  IAM! (Iden/ty! and! Access! Management)!plays! an! important! role! in! controlling! and!billing!user!access! to! the!shared! resources!in!the!cloud.!


Introduc/on!

•  IAM! systems! need! to! be! protected! by!federa/ons.!

•  Some! technologies! implement! federated!iden/ty,!such!as!the!SAML!(Security!Asser/on!Markup!Language)!and!Shibboleth!system.!

•  The! aim! of! this! paper! is! to! propose! a!mul/)tenancy! author iza/on! system! us ing!Shibboleth!for!cloud)based!environments.!


Related!Work!•  R. Ranchal et al. 2010 - an!approach!for!IDM!is!proposed,! which! is! independent! of! Trusted!Third! Party! (TTP)! and! has! the! ability! to! use!iden/ty!data!on!untrusted!hosts.!

•  P. Angin et al. 2010 - an!en/ty)centric!approach!for! IDM! in! the! cloud! is! proposed.! They!proposed! the! cryptographic! mechanisms! used!in! R. Ranchal et al. without! any! kind! of!implementa/on!or!valida/on.!


This!Work!•  Provide! iden/ty! management! and! access! control! and!aims! to:! (1)! be! an! independent! third! party;! (2)!authen/cate! cloud! services! using! the! user's! privacy!policies,! providing! minimal! informa/on! to! the! Service!Provider! (SP);! (3)! ensure! mutual! protec/on! of! both!clients!and!providers.!

•  This! paper! highlights! the! use! of! a! specific! tool,!Shibboleth,! which! provides! support! to! the! tasks! of!authen/ca/on,!authoriza/on!and!iden/ty!federa/on.!

•  The! main! contribu/on! of! our! work! is! the!implementa/on!in!cloud!and!the!scenario!presented.!

!NOVEMBER!16TH,!LISBON,!PORTUGAL! 47!IARIA!NetWare!2014!)!TUTORIAL!2!

The!NIST!Cloud!Defini/on!Framework!

Community)Cloud)

Private)Cloud)

Public)Cloud)

Hybrid!Clouds!

Deployment!Models!

Service!Models!

Essen/al!Characteris/cs!

Common!!Characteris/cs!

Somware!as!a!Service!(SaaS)!

Plauorm!as!a!Service!(PaaS)!

Infrastructure!as!a!Service!(IaaS)!

Resource!Pooling!

Broad!Network!Access! Rapid!Elas/city!

Measured!Service!

On!Demand!Self)Service!

Low!Cost!Somware!

Virtualiza/on! Service!Orienta/on!

Advanced!Security!

Homogeneity!

Massive!Scale! Resilient!Compu/ng!

Geographic!Distribu/on!

Based!upon!original!chart!created!by!Alex!Dowbor!NOVEMBER!16TH,!LISBON,!PORTUGAL! IARIA!NetWare!2014!)!TUTORIAL!2! 48!

Iden/ty!Management!•  Digital! iden/ty! is! the! representa/on! of! an!en/ty!in!the!form!of!aeributes.!

hep://en.wikipedia.org/wiki/Iden/ty_management!NOVEMBER!16TH,!LISBON,!PORTUGAL! 49!IARIA!NetWare!2014!)!TUTORIAL!2!

Iden/ty!Management!

•  Iden/ty!Management!(IdM)!is!a!set!of!func/ons!and!capabili/es!used!to!ensure!iden/ty!informa/on,!thus!assuring!security.!

•  An! Iden/ty! Management! System! (IMS)! provides!tools!for!managing!individual!iden//es.!

•  An!IMS!involves:!– User!–  Iden/ty!Provider!(IdP)!– Service!Provider!(SP)!


IMS!

•  Provisioning:! addresses! the! provisioning! and!deprovisioning!of!several!types!of!user!accounts.!

•  Authen/ca/on:!ensures!that!the!individual!is!who!he/she!claims!to!be.!

•  Authoriza/on:! provide!different!access! levels! for!different!parts!or!opera/ons!within!a!compu/ng!system.!

•  Federa/on:! it! is! a! group! of! organiza/ons! or! SPs!that!establish!a!circle!of!trust.!


•  The! OASIS! SAML! (Security! Asser/on! Markup!Language)!standard!defines!precise!syntax!and!rules!for!reques/ng,!crea/ng,!communica/ng,!and!using!SAML!asser/ons.!

•  The! Shibboleth! is! an! authen/ca/on! and!authoriza/on! infrastructure! based! on! SAML!that! uses! the! concept! of! federated! iden/ty.!The! Shibboleth! system! is! divided! into! two!en//es:!the!IdP!and!SP.!


Shibboleth!•  The! IdP! is! the! element! responsible! for!authen/ca/ng!users:!Handle!Service!(HS),! !Aeribute!Authority! (AA),! Directory! Service,! Authen/ca/on!Mechanism.!

•  The! SP! Shibboleth! is! where! the! resources! are!stored:! Asser/on! Consumer! Service! (ACS),! ! Aeribute!Requester!(AR),!Resource!Manager!(RM).!

•  The!WAYF! ("Where! Are! You! From",! also! called!the!Discovery!Service)!is!responsible!for!allowing!an!associa/on!between!a!user!and!organiza/on.!


In! Step! 1,! the! user! navigates! to! the! SP! to! access! a! protected!resource.! In! Steps! 2! and! 3,! Shibboleth! redirects! the! user! to! the!WAYF! page,! where! he! should! inform! his! IdP.! In! Step! 4,! the! user!enters!his!IdP,!and!Step!5!redirects!the!user!to!the!site,!which!is!the!component! HS! of! the! IdP.! In! Steps! 6! and! 7,! the! user! enters! his!authen/ca/on!data!and!in!Step!8!the!HS!authen/cate!the!user.!The!HS!creates!a!handle!to!iden/fy!the!user!and!sends!it!also!to!the!AA.!Step!9!sends!that!user!authen/ca/on!handle!to!AA!and!to!ACS.!The!handle!is!checked!by!the!ACS!and!transferred!to!the!AR,!and!in!Step!10! a! session! is! established.! In! Step! 11! the! AR! uses! the! handle! to!request!user!aeributes!to!the! IdP.!Step!12!checks!whether!the! IdP!can!release!the!aeributes!and!in!Step!13!the!AA!responds!with!the!aeribute!values.!In!Step!14!the!SP!receives!the!aeributes!and!passes!them!to!the!RM,!which!loads!the!resource!in!Step!15!to!present!to!the!user.!


Federated!Mul/)Tenancy!Authoriza/on!System!on!Cloud!

•  IdM! can! be! implemented! in! several! different!types!of!configura/on:!–  IdM!can!be!implemented!in)house;!–  IdM! itself! can! be! delivered! as! an! outsourced!service.!This!is!called!Iden/ty!as!a!Service!(IDaaS);!

– Each!cloud!SP!may!independently!implement!a!set!of!IdM!func/ons.!!

•  In! this! work,! it! was! decided! to! use! the! first!case!configura/on:!in)house.!


Configura/ons!of!IDM!systems!on!cloud!compu/ng!environments!


Federated!Mul/)Tenancy!Authoriza/on!System!on!Cloud!

•  This!work!presents! an!authoriza/on!mechanism! to!be!used!by!an!academic! ins/tu/on! to! offer! and! use! the! services! offered! in! the!cloud.!

•  The! part! of! the! management! system! responsible! for! the!authen/ca/on!of!iden/ty!will!be!located!in!the!client!organiza/on.!

•  The! communica/on! with! the! SP! in! the! cloud! (Cloud! Service!Provider,!CSP)!will!be!made!through!iden/ty!federa/on.!

•  The!access!system!performs!authoriza/on!or!access!control! in! the!environment.!!

•  The!ins/tu/on!has!a!responsibility!to!provide!the!user!aeributes!for!the!deployed!applica/on!SP!in!the!cloud.!

•  The!authoriza/on!system!should!be!able!to!accept!mul/ple!clients,!such!as!a!mul/)tenancy.!


Scenario!•  A! service! is! provided! by! an! academic! ins/tu/on!in! a! CSP,! and! shared! with! other! ins/tu/ons.! In!order! to! share! services! is! necessary! that! an!ins/tu/on!is!affiliated!to!the!federa/on.!

•  For! an! ins/tu/on! to! join! the! federa/on! it! must!have! configured! an! IdP! that! meets! the!requirements!imposed!by!the!federa/on.!!

•  Once! affiliated! with! the! federa/on,! the!ins/tu/on! will! be! able! to! authen/cate! its! own!users,! since!authoriza/on! is! the! responsibility!of!the!SP.!


Scenario!)!Academic!Federa/on!sharing!services!in!the!cloud!


Implementa/on!of!the!Proposed!Scenario!

•  A!SP!was!primarily!implemented!in!the!cloud:!– an! Apache! server! on! a! virtual! machine! hired! by!the!Amazon!Web!Services!cloud.!

–  Installa/on!of!the!Shibboleth!SP.!–  Installa/on!of! !DokuWiki,!which! is!an!applica/on!that! allows! the! collabora/ve! edi/ng! of!documents.!

– The! SP! was! configured! with! authoriza/on! via!applica/on,! to! differen/ate! between! common!users!and!administrators!of!Dokuwiki.!


Implementa/on!of!the!Proposed!Scenario!–!Cloud!Service!Provider!


Implementa/on!of!the!Proposed!Scenario!–!cloud!IdP!


Implementa/on!of!the!Proposed!Scenario!

•  The! JASIG! CAS! Server! was! used! to! perform! user!authen/ca/on! through! login! and! password,! and! then!passes!the!authen/cated!users!to!Shibboleth.!

•  The!CAS!has!been! configured! to! search! for!users! in! a!Lightweight! Directory! Access! Protocol! (LDAP).! To! use!this! directory! OpenLDAP! was! installed! in! another!virtual!machine,!also!running!on!Amazon's!cloud.!

•  To!demonstrate!the!use!of!SP!for!more!than!one!client,!another!IdP!was!implemented,!also!in!cloud,!similar!to!the! first.! To! support! this! task! Shibboleth! provides! a!WAYF!component.!


Analysis!and!Test!Results!within!Scenario!

•  In!this!resul/ng!structure,!each!IdP!is!represented!in!a!private!cloud,!and!the!SP!is!in!a!public!cloud.!

The!results!highlighted!two!main!use!cases:!•  Read6access6to6documents6•  Access6for6edi/ng6documents6


Conclusions!

•  The!use!of!federa/ons!in!IdM!plays!a!vital!role.!•  This!work!was!aimed!at!an!alterna/ve!solu/on!to!a! IDaaS.! IDaaS! is!controlled!and!maintained!by!a!third!party.!

•  The! infrastructure! obtained! aims! to:! (1)! be! an!independent! third! party,! (2)! authen/cate! cloud!services! using! the! user's! privacy! policies,!providing! minimal! informa/on! to! the! SP,! (3)!ensure! mutual! protec/on! of! both! clients! and!providers.!


Conclusions!•  This! paper! highlights! the! use! of! a! specific! tool,!Shibboleth,!which! provides! support! to! the! tasks!of! authen/ca/on,! authoriza/on! and! iden/ty!federa/on.!

•  Shibboleth!was!very!flexible!and! it! is!compa/ble!with!interna/onal!standards.!

•  It!was!possible! to!offer!a! service!allowing!public!access! in! the! case! of! read)only! access,! while! at!the! same! /me! requiring! creden/als! where! the!user! must! be! logged! in! order! to! change!documents.!


Future!Work!•  We!propose!an!alterna/ve!authoriza/on!method,!where! the! user,! once! authen/cated,! carries! the!access! policy,! and! the! SP! should! be! able! to!interpret!these!rules.!

•  The! authoriza/on! process! will! no! longer! be!performed!at!the!applica/on!level.!

•  Expanding! the! scenario! to! represent! new! forms!of!communica/on.!

•  Create!new!use!cases!for!tes/ng.!!•  Use!pseudonyms!in!the!CSP!domain.!


Some!References!- E. Bertino, and K. Takahashi, Identity Management - Concepts, Technologies, and Systems. ARTECH HOUSE, 2011. - “Security Guidance for Critical Areas of Focus in Cloud C o m p u t i n g , ” C S A . O n l i n e a t : h t t p : / /www.cloudsecurityalliance.org. - “Domain 12: Guidance for Identity and Access Management V2.1.,” Cloud Security Alliance. - CSA. Online at: https://cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf. - D. W. Chadwick, Federated identity management. Foundations of Security Analysis and Design V, Springer-Verlag: Berlin, Heidelberg 2009 pp. 96–120. NOVEMBER!16TH,!LISBON,!PORTUGAL! 69!IARIA!NetWare!2014!)!TUTORIAL!2!

Some!References!- A. Albeshri, and W. Caelli, “Mutual Protection in a Cloud Computing environment,” Proc. 12th IEEE Intl. Conf. on High Performance Computing and Communications (HPCC 10), pp. 641-646. - R. Ranchal, B. Bhargava, A. Kim, M. Kang, L. B. Othmane, L. Lilien, and M. Linderman, “Protection of Identity Information in Cloud Computing without Trusted Third Party,” Proc. 29th IEEE Intl. Symp. on Reliable Distributed Systems (SRDS 10), pp. 368–372. - P. Angin, B. Bhargava, R. Ranchal, N. Singh, L. B. Othmane, L. Lilien, and M. Linderman, “An Entity-Centric Approach for Privacy and Identity Management in Cloud Computing,” Proc. 29th IEEE Intl. Symp. on Reliable Distributed Systems (SRDS 10), pp. 177–183. NOVEMBER!16TH,!LISBON,!PORTUGAL! 70!IARIA!NetWare!2014!)!TUTORIAL!2!

71!

A!Vision!of!Privacy!on!Iden/ty!Management!Systems!!

!!


BackgroundChallenges

ConclusionsReferences

Agenda

1 BackgroundPrivacyIdentity managementFederation

2 Challenges

3 Conclusions

4 References

2 / 31



PrivacyIdentity managementFederation

Privacy

DefinitionIt is a fundamental human right [2]It is the control of release of personal data [1]It should be a vital characteristic of computingsystems

3 / 31




Privacy/Characteristics

Characteristics of privacy [3]UndetectabilityUnlinkabilityConfidentiality

4 / 31




Privacy/Paradigms

Paradigms of privacy [4]Privacy as a controlPrivacy as confidentialityPrivacy as practice

5 / 31




Privacy

Legislation to protect users’ privacyData Protection Directive – Europe [5]Health Insurance Portability and Accountability Act(HIPAA) – USA [6]Gramm-Leach-Bliley Act – USA [7]The Internet Bill of Rights – Brazil [8]

Legislations main goalProtect users against unwilling data disclosure andprocessing

6 / 31




Identity management/Access control model

Attribute Based Access Control (ABAC)Attributes are properties/characteristics of entitiesIt uses attributes relevant for the request contextIt evaluates rules against attributes of entities

7 / 31




Fundamentos/Identities

Identity definitionSet of attributes that represent a user or a systemAlso known as personally identifiable information (PII)

Example

Attribute ValueID 11111010101

Name JohnLast name Smith

SSN 403289440email [email protected] manager

... ... 8 / 31




Identity management

DefinitionThe process of managing users’ identity attributes [9]It deal with collection, authentication, and use ofidentities’ attributesIt provides means to create, manage and useidentitiesAllows single sign on (SSO) and single log out (SLO)

9 / 31




Identity management

Roles in Identity management systems (IMS) [10]UsersIdentityIdentity provider (IdP)Service provider (SP)

10 / 31




Identity management/Credentials

Credential definitionAttributes used to authenticate a user a single usere.g. a par of login and password, biometrics or digitalcertificates

11 / 31




Identity management/Basic processes

AuthenticationPerformed at the IdPIt uses a credential to confirm identity

AuthorizationMostly performed at the SPIt uses users’ attributes sent from the IdP to SPSP deliberates about the resource delivery

12 / 31




Identity management environment

Single administrative domain

13 / 31




Federation

DefinitionAn association of service providers and identityprovidersIt allows users to access resources in multipleadministrative domains (ADs)Users authenticate with their home AD

14 / 31




Federation/picture

Multiple ADs

15 / 31




Federation/technologies

Exchange data formatSecurity Assertion Markup Language (SAML)OpenId Connect (JSON)

16 / 31





Frameworks/toolsAuthentic 2Higgins (Personal Data Service)OpenAMOpenId connectPing federateShibboleth

17 / 31





Frameworks characteristics

ProjectOpen

Source?Has a

protocolOwner Data format Who uses

Shibboleth Yes No Internet2 SAML 1/2 Academia

OpenAM Yes No ForgeRockSAML 1/2,

OpenId ConnectIndustry

Authentic 2 Yes No Entr’ouvert SAML 2, OpenID 1/2Low

adherence

OpenID Connect Yes Yes OpenIDOpenId Connect

(Json)Industry/academy

Higgins Yes No Eclipse SAMLLow

adherencePing Federate No No PingIdentity SAML e OpenID Industry

18 / 31



Cloud challenges

Cloud challengesData managementData securityData privacy

19 / 31



Challenges on IMS

Lack of user control over PIIs stored on IdPAttributes stored out of user’s boundariesAdministrators with permissions and means toaccess user’s attributesAttributes vulnerable to unwilling access anddisclosure

20 / 31



Challenges on IMS

Awareness of disclosure processUsers are the owners of their attributeThey must know which data is being disclosedThe should be able to select/unselect any attribute

21 / 31



Challenges on IMS

Awareness of disclosure process

22 / 31



Challenges on IMS

Absence of disclosure support during disseminationprocess

The dissemination process is a complex taskThe amount of attributes and its combination is hugeUsers do not have know-how to decide which set ofattributes can bring more or less risk

23 / 31



Challenges on IMS

Absence of disclosure support during disseminationprocess

24 / 31



Challenges on IMS

Lack of means to control disclosed attributesCan the SP store the attributes? for how long?Can it be disseminated to third parties?Attributes control enforcement on SPs is a hardproblem to solveThe use of policies with the disclosed attributes canbring some light to this problemThe use of policies brings up another problem. Thepolicy enforcement on SPs

25 / 31



ConclusionsThere are no definitive answers for the present issues(for now)Privacy of attributes on IMS is a recent topicMechanisms to provide effective control of attributesfor users are still open for debatesDisclosure support methods should be carefullystudied and added to IMSPolicy enforcement on SPs is an open problem tosolve

26 / 31



Our work

We are researching methods:To provide users with control and privacy on attributesTo assure privacy of attributes between providersinteractions (SP-IdP, SP-SP)Support for users during the disclosure process

27 / 31



Our work

FundingBrazilian Funding Authority for Studies and Projects(FINEP)

ProjectBrazilian National Research Network in Security andCryptography project (RENASIC)Conducted at Federal University of Santa Catarina(UFSC) in the Networks and Management laboratory(LRG).

28 / 31



The end

Discussion momentQuestionsDoubtsDiscussions

29 / 31



References I

[1] Landwehr, Carl and Boneh, Dan and Mitchell, John C and Bellovin, Steven M and Landau, Susan and Lesk,

Michael E.

Privacy and cybersecurity: The next 100 years.

Proceedings of the IEEE, Special Centennial Issue, 2012.

[2] Lauterpacht, Hersch.

The Universal Declaration of Human Rights.

Journal Brit. YB Int’l L., 1948.

[3] Birrell, Eleanor and Schneider, Fred B

Federated identity management systems: A privacy-based characterization.

IEEE security & privacy. 2013.

[4] Diaz, Claudia and Gurses, Seda

Understanding the landscape of privacy technologies.

Extended abstract of invited talk in proceedings of the Information Security Summit. 2012.

[5] Directive, EU

95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals

with regard to the processing of personal data and on the free movement of such data.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

30 / 31



References II

[6] United States Congress

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996.

http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/html/PLAW-104publ191.htm

[7] United States Congress

GRAMM-LEACH-BLILEY ACT.

http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/html/PLAW-106publ102.htm

[8] Civil, Casa

Lei No12.965, DE 23 abril de 2014.

http://www.planalto.gov.br/ccivil 03/ ato2011-2014/2014/lei/l12965.htm

[9] Chadwick, David W

Federated identity management.

Foundations of Security Analysis and Design V.

[10] Bertino, Elisa and Takahashi, Kenji

Identity Management: Concepts, Technologies, and Systems.

Artech House.

31 / 31

72#

Risk(based#Access#Control#Architecture#for#Cloud#

Compu:ng#

NOVEMBER#16TH,#LISBON,#PORTUGAL# 72#IARIA#NetWare#2014#(#TUTORIAL#2#

Agenda• Introduction

• Related work

• Risk-based access control

• Proposed architecture

• Implementation and experiments

• Conclusion and future work

Introduction• Cloud computing is a successful paradigm and cloud

federations aim to make it even more efficient and scalable by sharing resources among providers

• In highly distributed, dynamic and heterogeneous environments, traditional access control models present problems, such as: scalability, flexibility and the use of static policies

• Dynamic access control models, like risk-based, provide greater flexibility and are able to handle exceptional requests (“break the glass”)

Introduction• We present a model for dynamic risk-based access

control for cloud computing

• The system uses quantification and aggregation of risk metrics that are defined in risk policies, which are created by the owners of the cloud resources

• It is built on top on an XACML architecture and allows the use of ABAC coupled with risk analysis

Related Work• Fall et al. [1] - presents the first idea of risk-based

AC for cloud. Propose using NSA RAdAC, but show no implementation

• Arias-Cabarcos et al. [2] - proposes the use of a fixed set of risk metrics for establishing identity federations in the cloud

• Sharma et al. [3] - uses risk-based AC on top of RBAC for cloud e-Health. Their model has 3 metrics (Confidentiality, Integrity and Availability)

Risk-based Access Control• Traditional access control models employ static

authorization, i.e., every decision is pre-established, based on the policies

• The idea behind dynamic access control is that the access requests must be analyzed taking into account contextual and environmental information such as security risk, operational need, benefit and others

• Real applications may require the violation of security policies, and the support for exceptional access requests is known as “break the glass”

Risk-based Access Control• Uses a function that evaluates in “real time” each

request

• Risk analysis can be qualitative, with levels of risk, or quantitative, where risk is usually defined as: Probability X Impact

• Many approaches to risk quantification: fuzzy logic, machine learning, probabilistic inference, … • usually based on the history of users and access

Proposed Architecture• XACML extension. ABAC and risk-based are taken in parallel and

then combined to reach a final decision. • Combination rules: Deny overrides, Permit overrides, ABAC

precedence, Risk precedence

• Risk decision is based on XML risk policies associated to a resource. A policy defines a set of risk metrics, how to quantify and aggregate them and an acceptable risk threshold

• Quantification and aggregation methods can be local (in the CSP) or external, defined by the resource owner as a web service

• The CSP has a basic risk policy, defining the maximum risk level accepted by it

Overview

Decision process

Case study - cloud federation

• Identity and Access Management is a big challenge when setting up a cloud federation

• It involves a notion of trust, which is usually mediated by an identity federation, this has two major issues: • trust agreements and interoperability

• To decrease the level of trust needed among participating clouds, we incorporate the notion of risk

• Also, interoperability may be increased, because a missing attribute in a message may also be considered as a risk factor, instead of stopping communication

Case study - cloud federation

Considerations• The architecture allows a flexible AC system

• Risk analysis may be too subjective • The support of Obligations is essential

• Risk policies allow the use of many risk metrics, using diverse quantification and aggregation methods from different sources

• The main limitation is the performance overhead due to the processing of the risk policies and the quantification of the risk metrics

Implementation• Three stages:

• Access control architecture; Cloud federation; Risk quantification and aggregation methods

• Python, ndg-xacml, ZeroMQ, web.py, peewee, MySQL, OpenNebula

• Two risk policies implemented for tests: • Sharma et al. [3] : ((a * p1) + (i * p2) + (c * p3) +

pastScore) !

• Britton and Brown [4] : 27 metrics

Experiments - risk policy<rp:risk-policy version="1.0" xmlns:rp="http://inf. ufsc.br/~danielrs"> <rp:resource id="1"/><rp:user id="1"/> <rp:metric-set name="sharma2012"> <rp:metric> <rp:name>Confidentiality</rp:name> <rp:quantification>https://localhost:8443/quantify-conf</rp:quantification> </rp:metric> <rp:metric> <rp:name>Availability</rp:name> <rp:quantification>https://localhost:8443/quantify-avail</rp:quantification> </rp:metric> <rp:metric> <rp:name>Integrity</rp:name> <rp:quantification>https://localhost:8443/quantify-int</rp:quantification> </rp:metric> </rp:metric-set> <rp:aggregation-engine>https://localhost:8443/aggregate</rp:aggregation-engine> <rp:risk-threshold>1.5</rp:risk-threshold> </rp:risk-policy>

Experiments

</rp:metric>

<rp:metric>

<rp:name>Integrity</rp:name>

<rp:quantification>https://

localhost:8443/quantify-int</

rp:quantification>

</rp:metric>

</rp:metric-set>

<rp:aggregation-engine>https://localhost:8443/

aggregate</rp:aggregation-engine>

<rp:risk-threshold>1.5</rp:risk-threshold>

</rp:risk-policy>

A. Example of use

To illustrate the operation of the implementation we de-scribe an example of use. In this example, we consider onlyone CSP that stores and instantiates the resources of its users.

Suppose that Alice instantiates a virtual machine (VM) inthis CSP and decides that it accepts risk-based access control,which is supported by the CSP. She then defines an XACMLpolicy, a risk policy and a combination rule for this VM. Inthe XACML policy, Alice defines two types of access: (i) sheand users who belong to her group of friends can view themachine; and (ii) only she can edit or delete the machine. Allof the other actions, for all of the other users are forbidden.As risk policy, Alice uses the implementation of Sharma et al.[34], which consider metrics for Confidentiality, Integrity andAvailability.

Suppose that there are two more users in this CSP: Bob,who is in the group of Alice’s friends and Charlie, who is not.Considering the XACML access control, when Alice tries toaccess the machine for any action, her access is granted; whenBob tries to access the machine, he has the access granted forviewing, but not for editing or deleting; Charlie has the accessdenied for any action. Considering risk, the result is the samefor any user because in the implementation the past risk scorewas fixed in 1 for every user.

Let us explore an access decision for Charlie’s request toview Alice’s VM. The request comes to the PEP and is sent tothe PDP. At this moment the XACML PDP and the risk engineare called. In this case, the XACML decision would be DENY.The risk decision is based on the action chosen (viewing) andthe fact that the resource is sensitive. Thus, the impact resultswould be: 0 for availability (a), 0 for integrity (i) and 1 forconfidentiality (c) [34]. Since we have no history to base ourcalculations, let us consider the probability of occurrence ofevery result as 0.33 and the past risk score of every user as 1.The aggregated risk would then be:

((a * p1) + (i * p2) + (c * p3) + pastScore) = ((0 * 0.33)+ (0 * 0.33) + (1 * 0.33) + 1) = 1.33

Since the risk score (1.33) is lower than the thresholddefined in the policy (1.5), the risk decision is PERMIT. Thefinal result depends on the combination rule being used. Ifthe rule is Permit Overrides or Risk Precedence, the result isPERMIT, otherwise it is DENY.

B. Experiments

To test the implementation, we used VMs instantiated inAmazon EC2. These machines have 1.7 GB of RAM, 160GB

of storage and a CPU that corresponds to a 1.2GHz Xeon.Three sets of experiments were performed. The first set isa comparison among different access control policies. Thesecond set is an evaluation of the number of metrics in a givenpolicy and the third, an evaluation of the influence of localand external metrics in the same policy. All of the times arein milliseconds (ms).

The results of the first set of experiments are shown inTable I, which presents the time spent to reach an accessdecision using three different policies: (i) only XACML; (ii)XACML + the policy of [34]; and (iii) XACML + [33]. All ofthe quantification and aggregation functions are implementedlocally. The increasing time is due to an increasing number ofmetrics.

TABLE I. PERFORMANCE OF RISK POLICIES

Policy min. (ms) max. (ms) avg (ms)XACML 0.925 4.278 1.040XACML+[34] 1.986 11.973 2.436XACML+[33] 4.395 14.234 5.352

In the second set of experiments, we used a risk policywith a varying number of metrics, all quantified locally. Allof the metrics just returned random values, so we could get aperformance result based only on the number of metrics andnot on the complexity of each metric. Table II shows the resultsof this set of experiments.

TABLE II. PERFORMANCE WITH A VARYING NUMBER OF METRICS

Number of metrics min. (ms) max. (ms) avg (ms)1 1.832 12.130 2.24310 2.612 12.876 3.171100 10.922 60.442 14.0301000 96.041 175.245 121.38310000 1168.511 1517.364 1361.025

Increasing the number of local metrics impacts the perfor-mance of the system, however, this impact can be toleratedeven with a huge number of metrics (10000). It is importantto notice that the impact on performance is due more to theprocessing of the XML file containing the policy than to theprocessing of the metrics.

In the third set of experiments, we used a risk policycontaining 10 policies which, as before, return random riskvalues. In this set, four kinds of policies were defined. CaseA represents 10 requests handled only by local XACML;case B represents 10 local risk quantification metrics; case Crepresents 5 local and 5 remote metrics (web services); andcase D represents a risk policy with 10 remote metrics. Inevery case the aggregation rule is local. Table 3 shows theresults obtained in each case.

TABLE III. PERFORMANCE WITH LOCAL AND EXTERNAL METRICS

Case min. (ms) max. (ms) avg (ms)A 1.057 9.372 1.46B 1.824 15.564 4.574C 1556.182 2813.56 1726.71D 3247.563 10350.5 4220.6

It is easy to notice that the use of web services heavilyimpacts performance and that the use of 10 remote metricsis already impracticable for an access control system. Finally,

</rp:metric>

<rp:metric>




rp:quantification>

</rp:metric>

</rp:metric-set>




</rp:risk-policy>

A. Example of use







B. Experiments














</rp:metric>

<rp:metric>




rp:quantification>

</rp:metric>

</rp:metric-set>




</rp:risk-policy>

A. Example of use







B. Experiments














Experiments

Fig. 4. Time spent to reach an access decision

Figure 4 shows the growth in time spent to reach an accessdecision as the number of metrics increase. The X axis isthe number of metrics and the Y axis is the time spent inmilliseconds. The solid line with square markers is for localmetrics and the dashed line with circular markers is for remotemetrics.

C. Discussion

Measuring security is not easy and for access controlsystems it usually involves the definition of a set of possiblestates and the proof that in no configuration of states there isleaking of permissions [35]. Since there is no formal modelingfor risk-based access control, it is not possible to prove itscorrectness and, therefore, its security. This is why there areno experiments related to the security of the system presentedin this paper.

Hu et al. [35] recommend assessing an access controlsystem based on: administrative capacity and costs, policycoverage, extensibility and performance.

The proposed model is equivalent to XACML in termsof administrative capacity and costs, only adding the need tomanage risk policies. The coverage of policies and extensibilityof the system can be shown through the implementation ofmodels presented in related work. The performance of thesystem was evaluated quantitatively and we can draw someconclusions from the experiments. It can be seen that using thesystem with local metrics presents a satisfactory performanceand despite a performance decrease with a bigger number ofmetrics, this is expected and the system does not become inef-ficient. The use of external metrics, however, heavily impactsthe system, because of the time spent in HTTP communication.

V. RELATED WORK

Fall et al. [21] focus on the authorization problems createdby multi-tenancy in the cloud. The authors argue that tradi-tional access control models are static and not well suited tothe cloud, while risk-based models are dynamic and naturallyadapted to this environment. The authors propose using theNSA RAdAC model and identify some risk situations for thecloud. The paper introduces the concept of risk-based accesscontrol for cloud computing, but shows no implementation.

Arias-Cabarcos et al. [36] describe current issues in FIMon cloud and propose using risk analysis to allow dynamic

federations. The authors propose using risk metrics to quantifyand aggregate risk and present a taxonomy of risk metricsconsidering pre-federation and post-federation stages. There isan example of use and the method is detailed. The proposal,however, considers a fixed set of metrics, not allowing usersor providers to define their metrics.

Sharma et al. [34] show a risk-based access control modelfor cloud e-health. According to the authors, RBAC does nottake into account uncertainty and risk, thus being unsuited forthe cloud. The paper presents a prototype implementation con-sidering three metrics: confidentiality, availability and integrity.In the model, every task to be accomplished in the systemis sent to the cloud, where a risk score is attributed to it.The model is implemented on top of RBAC, so it uses roledelegation along with the risk analysis.

Britton and Brown [33] present a quantification methodfor the NSA RAdAC model. In their proposed model, 27metrics are divided in 6 categories, evaluated for every accessrequest and aggregated to achieve a measure of the totalsecurity risk. Their risk definition considers both probabilityand impact as high, medium or low. They employ a triangularprobability distribution and a Monte Carlo simulation to findthe probability of each event, which is then multiplied by aweight attributed by experts to each metric. Since it is a methodfor military applications, some metrics are not suitable for ageneral cloud application.

Several works describe authentication and authorization indifferent cloud federation models [37, 38, 39, 31].

This work is an improvement on our previous work [32],which focused on the application of a similar model to cloudfederations. In the present work, the model has been revisedand we present new experiments and a greater analysis anddiscussion of the model.

VI. CONCLUSION

The development of access control systems for cloudcomputing is of great importance, because these systems arefundamental to enable the security of these environments.

Traditional access control models, currently implementedin most cloud solutions are not enough to ensure the securityof these environments when it is necessary to have a greaterflexibility to enable efficient information sharing in criticalsituations.

Risk-based access control models are an alternative and,despite the fact that there are proposals in the literature for itsuse in the cloud, they are very specific to a given situation,disallowing its application in a more general context and thereis no reference architecture that allows its extension.

This paper presented a dynamic risk-based access controlarchitecture for cloud computing, with an application to cloudfederations. The architecture is built as an XACML extension,adding flexibility for resource and information sharing in adynamic environment such as the cloud, while keeping thedistribution and scalability features. The architecture is basedon the use of risk policies, which describe the risk metricsconsidered most important by users and providers.

Conclusion• AC systems for the cloud are of great importance and traditional

AC models are not enough for the cloud

• Risk-based AC tend to be very specific to a given scenario, we tried to make it more general, to be applied in a CSP

• We presented, implemented and evaluated the performance of our architecture

• As future work, we would like to: integrate the architecture into a mature cloud federation project; implement other risk quantification methods; improve the performance of external metrics (caching, concurrent requests, …); and develop a reference set of risk metrics for the cloud

References• [1] D. Fall, G. Blanc, T. Okuda, Y. Kadobayashi, and S. Yamaguchi, “Toward

Quantified Risk-Adaptive Access Control for Multi-tenant Cloud Computing,” in Proceedings of the 6th Joint Workshop on Information Security, October 2011.

• [2] P. Arias-Cabarcos, F. Almenárez-Mendoza, A. Marín- López, D. Díaz-Sánchez, and R. Sánchez-Guerrero, “A metric-based approach to assess risk for “on cloud” federated identity management,” Journal of Network and Systems Management, vol. 20, pp. 513–533, 2012.

• [3] M. Sharma, Y. Bai, S. Chung, and L. Dai, “Using risk in access control for cloud-assisted ehealth,” in IEEE 14th International Conference on High Performance Comput- ing and Communication, 2012, 2012, pp. 1047–1052.

• [4] D. Britton and I. Brown, A security risk measurement for the RAdAC model, 2007.

73#

RAClouds#–#Risk#Analysis##for#Clouds#

NOVEMBER#16TH,#LISBON,#PORTUGAL# 73#IARIA#NetWare#2014#K#TUTORIAL#2#

•  Introduction

•  Related Work

•  Approach of the Proposed Solution

Introduction

•  The safety evaluation of providers is a big challenge for CCs (CSA, 2011)

•  Risk analysis includes (ISO 27005, 2011): –  Identification of the need for controls – Evaluation of the efficiency of controls

Introduction

•  Risk Analysis can assist the CC –  for the selection and maintenance of your CSP

•  But consider: – Business requirements – Broad scope of risk – Regardless of CSP

Introduction

•  The lack of these principles generates: – Disregard the requirements of the client's

business – Limited selection of possible security

requirements – Customer distrust regarding disclosure of

risks encountered

Introduction

•  Propose a computational model in which a CC (consumer cloud) can perform risk analysis in a CSP (Cloud Service Proveder) so:

– Adherent (needs CC); – Comprehensive (proper scope); –  Independent (relative to CSP)

Related Work

•  Dey (2013): integration with mobile devices;

•  Zhou (2013): performance testing;

•  Kolluru (2013): Client connection to the cloud;

•  Lor (2012): applications in federations of clouds;

Related Work

•  Grobauer (2012): Mapping specific vulnerabilities of cloud computing;

•  Rot (2013): Study of threats in the cloud;

•  Luna (2012): SLAs for cloud security;

•  Bleikertz (2013): assessment by the CC;

•  Grezele (2013): risks related to cloud database;

Related Work

•  Ristov (2012): Risk analysis based on ISO 27001;

•  Ristov (2013): Risk Analysis for OpenStack, Eucalyptus, OpenNebula and CloudStack environment;

•  Mirkovié (2013): ISO 27001 controls the cloud;

•  Bhensook (2012) and Ullah (2013):

–  Effort CSA for safety assessment

–  CloudAudit model

–  Based on ISO 27001

Related Work

•  Hale (2012): SecAgreement for monitoring security metrics;

•  Zech (2012): Risk analysis of external interfaces; •  Wang (2012): analysis of risk based CVE; •  Khosravani (2013): a case study of the

requirements of CC; •  Lenkala (2013): metrics for risk analysis in the

cloud; •  Liu (2013): Risk assessment in virtual machines;

Proposed Solution

Proposed Solution

•  Agent ISL: – Definition of threats and vulnerabilities – Risk describes a descriptor using RDL - Risk

Definition Languagem – Specifies the form of risk assessment through a

WSRA - Risk Analyser WebService – RDLs and provides WSRAs for RACloud

Proposed Solution

•  Agent CC: – Definition of information assets – Complements the RDL with the impact of

information – Provides extension to the RDL RACloud – Start the assessment and receive results

Proposed Solution

•  CSP Agent: –  Imports RDLs RACloud –  Implements calls to WSRAs – Make the Call of risk assessments of ISLs

Proposed Solution

Proposed Solution

•  Model is organized into:

– Specification phase: environmental risk analysis is configured;

– Evaluation Phase: risk analysis is performed;

Proposed Solution

•  Component Specification: – Registry Manager: Records CC, CSP and ISL

manager; – RDL Manager: descriptors of risk (threat +

vulnerability) manager; – RDL Manager Extensions: Extensions

RDL (information assets) manager;

Proposed Solution

Proposed Solution

•  Components of Evaluation: –  Risk Analysis: Does the coordination between other

internal components; –  RA Processor: establishes relationships and makes the

calculation of risk; –  Impacts Evaluation: assessing the impact on CC; –  CSP Proxy: call for testing the ISL; –  WSRA Evaluation: evaluation of safety requirements;

Proposed Solution

Discussion

•  Multiple ISLs can act in defining RDLs and WSRAs (coverage)

•  The related works do not meet these characteristics

•  Are usually focused on specific evaluations by PHC itself, without considering the CC

Discussion

References

•  M. K. Srinivasan et al., “State-of-the-art cloud computing security taxonomies: a classification of security challenges in the present cloud computing environment”. ICACCI '12: Proceedings of the International Conference on Advances in Computing, Communications and Informatics. August 2012.

•  J. Zhang, D. Sun and D. Zhai, "A research on the indicator system of Cloud Computing Security Risk Assessment," Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE), 2012 International Conference on , vol., no., pp.121,123, 15-18 June 2012 doi: 10.1109/ ICQR2MSE. 2012.6246200.

•  M. L. Hale and R. Gamble, "SecAgreement: Advancing Security Risk Calculations in Cloud Services," Services (SERVICES), 2012 IEEE Eighth World Congress on , vol., no., pp.133-140, 24-29 June 2012 doi: 10.1109/SERVICES.2012.31.

•  P. Zech, M. Felderer and R. Breu, "Towards a Model Based Security Testing Approach of Cloud Computing Environments," Software Security and Reliability Companion (SERE-C), 2012 IEEE Sixth International Conference on , vol., no., pp.47,56, 20-22 June 2012 doi: 10.1109/SERE-C.2012.11.

•  P. Wang et al., "Threat risk analysis for cloud security based on Attack-Defense Trees," Computing Technology and Information Management (ICCM), 2012 8th International Conference on, vol.1, no., pp.106-111, 24-26 April 2012.

•  S. Ristov, M. Gusev and M. Kostoska, "A new methodology for security evaluation in cloud computing," MIPRO, 2012 Proceedings of the 35th International Convention , vol., no., pp.1484-1489, 21-25 May 2012.

•  J. Morin, J. Aubert and B. Gateau, "Towards Cloud Computing SLA Risk Management: Issues and Challenges," System Science (HICSS), 2012 45th Hawaii International Conference on , vol., no., pp.5509-5514, 4-7 Jan. 2012 doi: 10.1109/HICSS.2012.602.

Challenges)in)Cloud)) Compu0ng)Security)...Challenges)in)Cloud)) Compu0ng)Security)!!!!...

Documents

Transcript of Challenges)in)Cloud)) Compu0ng)Security)...Challenges)in)Cloud)) Compu0ng)Security)!!!!...